| Oct 2 | Introduction | No Reading |
| Oct 7 | Security Basics | Ch. 1 in Anderson,
Saltzer and Schroeder, "The Protection of Information in Computer Systems," Section I only. |
| Oct 9 | Security Models | Ch. 4 Sections 4.1 through 4.2.6 in Anderson,
PostgreSQL 9.3 Manual: GRANT statement, Sec. 5.6 Privileges, Sec. 20.6 Role Membership;
Linux File Security;
AppArmor Overview, profile language. |
| Oct 14 | Multilevel Security | Ch. 8 Sections 8.1, 8.2, 8.3, and 8.6 in Anderson,
Enck et al. "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones." |
| Oct 16 | Threat Modeling | Watch Akshay Aggarwal's introduction to threat modeling: video and slides.
For reference only: CAPEC list version 2.6. |
| Oct 21 | Symmetric Cryptography | Cryptography 101 - The Basics by D. Brumley,
Ch. 5 Section 5.1 to 5.6 in Anderson. |
| Oct 23 | Asymmetric Cryptography | Ch. 5 Section 5.7 to 5.8 in Anderson. |
| Oct 28 | Public Key Infrastructure | A Short Tutorial on Distributed PKI from Isode Ltd.,
PGP Web of Trust: Core Concepts Behind Trusted Communication by K. Ryabitsev,
Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure by C. Ellison and B. Schneier.
Information Security: Before and After Public Key Cryptography by Whitfield Diffie (optional). |
| Oct 30 | Identity and Authentication | Ch. 2 Sections 2.4 through 2.4.5, RFC 5849 OAuth 1.0 (Sec. 1 only), RFC 4226: HOTP (Sec. 1 through 5). |
| Nov 4 | Laws and Ethics | The Computer Fraud and Abuse Act: Hacking Into the Authorization Debate by Alden Anderson (Section I only), Wikipedia: Digital Millennium Copyright Act, Fact Sheet 9: Wiretapping and Eavesdropping on Telephone Calls from the Privacy Rights Clearinghouse, Cybercrime Reference (for reference only) |
| Nov 6 | Midterm Exam | No Reading |
| Nov 11 | Veterans Day | No Class |
| Nov 13 | Buffer Overflows | Smashing The Stack For Fun And Profit by Aleph One. |
| Nov 18 | Buffer Overflows Continued | Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade by Cowan et al., ASLR for Linux from the PaX project, NOEXEC for Linux from the PaX project, Printf (reference for HW 5). |
| Nov 20 | Web Security | XSS Game, CSRF from OWASP, Same Origin Policy from Google (read through "Same-origin policy for cookies"). |
| Nov 25 | SQL Injection | PHP Manual: SQL Injection, |
| Nov 27 | Thanksgiving | No Class |
| Dec 2 | Advanced Web Security | From the Aether to the Ethernet - Attacking the Internet using Broadcast Digital Television by Y. Oren and A. D. Keromytis, Clickjacking by R Hansen and J. Grossman |
| Dec 4 | Network Security | A Look Back at Security Problems in the TCP/IP Protocol Suite by S. Bellovin |
| Dec 9 | Network Security | An Illustrated Guide to the Kaminsky DNS Vulnerability by S. Friedl |
| Dec 11 | Review | No Reading |
| Dec 17 | Final Exam | 11:30am to 2:30pm, Location TBA |